The Hole in Your $100 Million Suit of Armor, or: How to Stop Spending Millions on Something That Just Isn’t Working

Zero trust! I use an exclamation point because I think it has become a marketing requirement to do so these days. It is cool, it is special, it is magical…right? Having spent the last few years as an identity security resource to my zero trust founding colleagues, I can tell you that none of those superlatives are accurate.

Zero trust is a tacit acknowledgment that the notions of layered security and unquestioned or uncontrolled access to anything within your systems is a failed strategy. The empirical evidence related to cyber-attacks, fraud, and breaches confirm that the former frameworks for security have failed. This may be a big reason for why zero trust has faced so much resistance in the marketplace…because it requires corporate-level intellectual honesty and courage to admit that what we’ve spent millions upon millions of dollars on is just not working.

Let’s face it, our entire corporate cybersecurity kingdom is tied to a boat anchor of old methods and approaches. Not only do we have leaders and departments supporting the institutional status quo to continue to receive funding, but we’ve placed political cement around our feet that eliminates our ability to leverage a key strength that the bad guys use every day; agility.

So, let’s now operate under the assumption that you’ve recently embarked on a zero trust journey.  Why did you start this journey?  Maybe you realized that zero trust isn’t mystical, but rather a compilation of some of the best practices in security that we’ve known about for a long time. (You know, like least privileged access?) Or perhaps you’re taking the necessary steps to apply zero trust principles to your environment because you realize that no one is selling a “zero trust in a box” solution and that the band-wagon hype touted by too many solution providers is just noise to be ignored.

Congrats and kudos on your efforts and progress! It is the right step in strengthening your company’s security and matching your adversary’s agility. You won’t get there overnight, but at least you’ve made the important realization that you won’t get there at all if you don’t make changes to your security program at the core, foundational level.

Now, let’s just make sure you don’t build a $100 million suit of armor with massive holes in it.

Those holes? Those are the unfortunate consequence of not re-thinking your identity security plane along with all the other changes you’re making to your environment. I’ve spoken about the risks and weaknesses that organizations face due to the poor condition of identity-centric security hundreds of times over. In all those years, I’ve never had a single person or company criticize or deny that position. Everyone readily acknowledges the elephant in the room, but no one has ever told me the elephant didn’t exist.

Given the poor attention paid to the critical importance of identity to their security architecture, most readers will assume that I’m going to simply remind people to make identity a keystone in your zero trust program. That really isn’t necessary. Because to be painfully frank, it isn’t even possible to achieve zero trust without dramatically improving your identity security performance.

The ascription of identity to all things within your enterprise systems isn’t just my idea- the founder of zero trust has consistently shared that same view for a long time. Simply put, you must understand and control your ENTIRE inventory of identities to make zero trust fly. The real hole in your armor? The “entire” inventory of identities is both the hole and the challenge. To explain and highlight the nature of the hole, we only need to ask one question…

How Many Unknown Identities Does It Take Inside One of Your Systems to Be a Risk?

If you answered more than one, you answered too many. It only takes one unknown identity or entity inside of the wire to bring your company down, to lock up your servers, to abscond with your funds, to bleed terabytes of data out of your organization. Just one.

How many unknown identities are circulating, at this very moment, inside your systems? How many accounts that have continuous, persistent, and privileged access are assigned to people who have left your company years ago? How many functional accounts are being used by humans in your company because it is “just easier”? Feeling good that you control and understand all the bots flying around your digital world? How about that trusted partner that has 21 people re-using the account of someone who retired 3 years ago because it’s just too difficult to get new accounts set up with you?

As you continue towards zero trust, it’s critical to realize and accept that zero trust isn’t about not trusting. Trust is a human emotion, and it has no place in the digital world to begin with. Zero trust is about refusing to allow an unknown…any unknown…reside within your systems. Choosing to allow access isn’t the same as extending trust. It is about deciding on the who, what, where, when, and why of that identity in the moment to give them just enough authority to do what needs to be done. Understanding your entire inventory of identities, from employees to contractors to partners to franchisees or researchers, is the first step toward ensuring you aren’t building a suit of armor with holes.

This is the first installment of a series by Richard Bird. Stay tuned for Part 2!  

Embark on a quick product tour to see how SecZetta gives you control over your entire identity inventory to ensure that you’re not building a suit of armor that has more holes in it than a slice of Swiss cheese.